stopping javascript insert into database table

php_2004

hi,

I expect it is possible, but can't seem to find what im looking for at the moment.

How could i stop user entering javascript script into a form, well at least stop the data being saved in the database?

(as you can probably guess if the data is saved in the database, then it will get excuted when viewed)

Thanks for any help and advice in advance....

drew010

you can use [man]htmlspecialchars[/man] to turn all html tags into their html entities, i.e. < will become <. or if you just want to filter javascript tags and everything between them, you can try this.

$forminput = preg_replace("'<script[^{>]?>.?</script>'si",} "", $forminput);

thats given $forminput is the name of the variable where the user input is.

php_2004

would this mean that although the javascript would not be display, that a load of charcters such as <. would be saved in the database?

drew010

i really gave you two different options there.

assume your variable with the user input again is $forminput.

one option is:

$forminput = htmlspecialchars($forminput);

that would take special characters and turn things like < into < & into & etc. it would also effect html. if they used <b>text</b>, it wont be bold on your output but it would actually show the tags.

the other option i gave was this:

$forminput = preg_replace("'<script[^{>]?>.?</script>'si",} "", $forminput);

that will only affect javascript, and it would actually remove all script tags along with their code
so if someone put
<script language="javascript">
window.location = "http://www.mysite.com";
</script>

it would remove ALL of that javascript and leave the rest of their post untouched.

php_2004

yeah, sorry i read the post wrongly, you did give two possble answers..

The "preg_replace" works for me, although i tested the script with mutliple javascript statement and it only deals with the first javascript statement, so the user could still get around this.... any ideas?

Thanks for your time and advice on the matter

drew010

thats odd, the preg_replace should go thru the whole entire string and replace all the matches it finds. here is an example that removed 3 instances of javascript.

<?

$forminput = <<<EOD
"test text",
heres some js
<script>
window.location = "http://www.hacked.com";
</script>

bye bye
now here comes more
<script language="javascript">
window.open ("www.drew-phillips.com", "mywindow");
</script>
more text here
<script Language="JavaScript">
var test = new Array();
var bday = new Date();

document.write(5 + 5);
</script>
after third js.
EOD;

$forminput = preg_replace("'<script[^>]*?>.*?</script>'si", "", $forminput); 

echo nl2br($forminput);

?>

after running that i was left with just this:
"test text",<br />
heres some js<br />
<br />
<br />
bye bye<br />
now here comes more<br />
<br />
more text here<br />
<br />
after third js.

so as you can see it got rid of all 3 script events.

php_2004

Ok thanks drew.

When i tested the code, i just entered the test javascript , that you had used in the early example.

e.g.

It maybe the way in which my code is stuctured that it hasn't worked the same way as you predicted. I'll have to play about and see whether i can change the outcome.

Thanks again for your time and help, must appreciated